EDPB adopts position paper on interplay between data protection and competition law
Inter-agency cooperation is becoming increasingly significant for both regulators and regulated entities in light of the increasing volume and scope of digital regulation. The interplay between competition law and data protection law has recently been considered by the European Data Protection Board, following on from the significant 2023 decision of the CJEU in Meta v Bundeskartellamt. The EDPB position paper considers commonalities between data protection law and competition law and makes recommendations for how data protection authorities, competition authorities and policymakers can improve cooperation in these fields.
Background
On 16 January 2025 the European Data Protection Board (“EDPB”) adopted a position paper on the interplay between data protection and competition law.
This position paper was in part prompted by the 2023 European Court of Justice (“CJEU”) decision in Meta v Bundeskartellamt, Case C-252/21 (“Bundeskartellamt”). This case concerned an appeal by Meta against a decision of the German Federal Cartel Office (“FCO”) to impose restrictions on the processing of user data by Meta. The FCO found that Meta’s general terms constituted an abuse of a dominant position and determined that the manner in which it processed certain data was not compliant with the GDPR. A request for a preliminary ruling was made to the CJEU which, in part, raised questions as to the FCO’s competence to enforce the GDPR. The CJEU’s judgment made clear that data protection and competition regulatory objectives are not always mutually exclusive. In particular, the CJEU found that a competition authority, such as the FCO, can find, with respect to an examination of an abuse of a dominant position by an undertaking, that an undertaking’s general terms of use in relation to the processing of personal data and the implementation thereof are inconsistent with the GDPR, where such a finding is necessary in order to establish the existence of an abuse of dominance. The Court caveated that this was subject to compliance by a competition authority (such as the FCO) with its duty of sincere cooperation with the relevant supervisory authority. Cooperation and co-ordination between regulators may be necessary in order to ensure effective and coherent enforcement whilst maintaining the consistent interpretation and application of EU legal norms.
Commonalities between Data Protection Law and Competition Law
The EDPB position paper notes that, although both data protection law and competition law often apply to the same actors/activities, they are distinct areas based on different legal concepts (i.e. one seeks to guarantee the protection of personal data whereas the other seeks to protect the efficient functioning of the market). However, the position paper sets out what the EDPB believes are core commonalities between the two areas of law. The EDPB has identified some common areas of interest/cooperation, which include the following:
- The protection of individuals and their choices
The EDPB considers that strengthening the overlap between data protection law and competition law may reinforce respect for fundamental rights and the proper functioning of the relevant markets. Where data protection considerations are a relevant non-price parameter of competition, the European Commission considers this as consistent with the broad interpretation of the consumer welfare standard adopted in Europe.
- The digital economy
Personal data is now a central aspect of many business models. The result of this, the EDPB considers, is that data protection is, in some cases, a key parameter of competition in digital markets.
- Consent under the GDPR
The Bundeskartellamt decision considered that a dominant position may be liable to affect the level of, or choice of, data protection offerings, and may impact a user’s freedom to consent under the GDPR. The EDPB suggests that dominance (although alone insufficient to invalidate consent) can form part of a broader review of power imbalances under the GDPR.
- Abuse of a dominant position
An abuse of dominance in the context of data protection can arise in a variety of ways. In addition to the exclusionary effect described above, it may arise as an exploitative abuse. For example, excessive data collection as a form of unfair trading condition, or as a barrier to entry that protects market position. The Bundeskartellamt decision also provides that, where determining compliance with the GDPR is relevant to an assessment of abuse of a dominant position, the general terms of use of an undertaking relating to the processing of personal data and their implementation may be assessed by a competition authority as part of the competitive assessment. However, the EDPB emphasises that such an assessment does not replace an assessment made by the competent data protection authority or the decision of the lead supervisory authority in the case of EU cross border processing, in respect of data protection concerns. The EDPB further observed that the duty of sincere cooperation must be adhered to.
- Merger control
Given the possibility that a digital merger could result in the further combination and accumulation of sensitive personal data by a major tech company, that could have a negative impact on competition (as considered in Google/Fitbit and Meta/Kustomer), the EDPB has concluded that greater cooperation between data protection authorities and competition authorities (at national and EU level) could assist in better understanding personal data issues when assessing a proposed merger. The EDPB also had regard to the European Commission’s previous communication that data protection measures may be relevant when defining relevant markets in digital merger control.
Improving co-operation
In the position paper, the EDPB suggests ways in which data protection authorities, competition authorities and policymakers can improve cooperation, noting that cooperation between data protection and competition authorities is, in some cases, mandatory and not optional. The paper suggests:
- National legislators and policymakers should be aware of the possibility that regulatory authorities and bodies competent to supervise the digital sector might need to cooperate more closely in certain cases. This awareness, the EDPB says, is essential in order to ensure that the relevant bodies can be properly resourced and given the necessary tools to ensure efficient cooperation.
- Currently the degree of cooperation between authorities varies considerably between Member States and is not harmonised by EU law. As a consequence, the EDPB suggests that cooperation frameworks (e.g. administrative agreements, joint declarations or memoranda of understanding) be agreed between authorities. Such frameworks could lay down core principles, methods and rules of cooperation (e.g. forms of communication, deadlines, guidelines, policy recommendations etc.). These frameworks can also encourage authorities to consider decisions or penalties previously taken or issued by other authorities and can govern how information is shared.
- Within authorities, internal measures such as setting up a dedicated team to coordinate cooperation tasks and to act as a single point of contact for other authorities, could promote cooperation with other supervisory authorities. The EDPB has suggested that these teams should be regularly trained on the relevant legal landscape/developments in the law and should engage in working groups with each other.
- With a view to ensuring efficient cooperation, authorities should develop a basic understanding of and familiarity with the regulatory framework employed by relevant counterparts. This means, for example, before entering discussions with the relevant competition authority on an issue, the relevant data protection authority should have a preliminary understanding of the concept of relevant market and whether certain entities in issue occupy a dominant position.
- Where more structured and regular cooperation is warranted, the EDPB suggests that this could be best achieved by establishing cooperation protocols under the duty of sincere cooperation. This, in the EDPB’s view, is the most effective way to ensure reciprocal consultations and may reduce the risks of double jeopardy in respect of two parallel investigations into the same entity/conduct. The EDPB also suggests that joint sector inquiries/investigations be pursued.
Conclusion
In the aftermath of the Bundeskartellamt decision, the interplay between competition law and data protection law is likely to come into increased focus for regulators and regulated entities alike. The EDPB position paper, while not binding, provides an interesting insight into the Board’s views of how this might work going forward. One can also think of other areas in which a competition authority might usefully consult with the relevant data protection authority, such as in testing the validity of a defence grounded in data protection law (e.g. a refusal to grant access to data as a result of data protection considerations) or remedy proposals in merger control or abuse of dominance cases.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Select how you would like to share using the options below